Group seeks €10bn pay-out over adtech GDPR breach

dataA Dutch consumer privacy group says it has given up on EU data protection authorities’ efforts to bring the adtech industry to heel and is going straight for legal action against both Salesforce and Oracle over how their use of real-time bidding breaches GDPR.

With the UK Information Commissioner’s Office widely accused of a go-slow in its own investigation into the sector – the ICO recently admitted that its probe may not restart until 2021 – the Privacy Collective has filed a class action lawsuit in Amsterdam and is planning to do the same at the High Court in London later this month. It reckons the action could cost the California-based companies up to €10bn (£9bn) in pay-outs.

The group alleges both companies collect users’ personal data without their consent and then auction it off to other companies without their knowledge. The Netherlands lawsuit demands a €500 (£451) payment for each user who has not consented to the use of their sensitive personal data.

The Privacy Collective claims that both have used third-party cookies Bluekai and Krux to misuse consumers’ personal data. The cookies, which are hosted on multiple websites including Ikea, Twitch, Dropbox,, and Comparethemarket, are used for dynamic ad pricing services.

It insists that Oracle and Salesforce held on to personal data that consumers had not proactively consented to share and took an inconsistent approach to securing sensitive information. The lawsuit further accuses the companies of facilitating sales using harmful ads.

According to the Privacy Collective, both companies sell profiles created from the personal data they have gathered from users to other companies via real-time bidding without the knowledge or consent of the users.

The group stated: “An important argument for suing these two parties in particular is the scope and impact of their unlawful acts in the Netherlands. They are prominent. At the same time, they often operate behind the scenes.

“Everyone knows Google and Facebook, but these companies are less known, while they act in an unprecedented way in our personal data on a daily basis. Many complaints have already been filed with regulators about the adtech industry, but too little is happening with those complaints. Everyone agrees that this should stop, but the world is so complex that regulators do not dare to do it yet.

“Research shows that from a selected list of 100 websites that are frequently visited by Dutch internet users, 25 place Oracle’s cookies and 31 Salesforce cookies. Through the cookies on these websites, the groups collect data about almost every Dutch person who regularly visits the Internet.”

Perhaps unsurprisingly, both companies deny any wrong-doing.

Oracle general counsel Dorian Daley said: “Oracle has no direct role in the real-time bidding process, has a minimal data footprint in the EU, and has a comprehensive GDPR [privacy] compliance programme.”

A spokesperson for Salesforce added: “Salesforce disagrees with the allegations and intends to demonstrate they are without merit. Our comprehensive privacy programme provides tools to help our customers preserve the privacy rights of their own customers.”

Related stories
Privacy groups hit out at fresh delay to adtech probe
ICO strikes back at claims it has shut down all cases
ICO reveals fewer than 1% of investigations led to a fine
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch

Print Friendly